Gossamer Forum
Home : General : Internet Technologies :

Shell script

Quote Reply
Shell script
Can anyone spot my booboo - it is driving me mad. It seems to do exactly what I want except the if block is not running when it should be :(

Code:
echo Try to block people who are spreading CodeRed/Nimda
echo ------------------------------------------------------------------
echo Grabbing list of currently blocked IPs
cat /etc/hosts.deny | grep "ALL:" | sed "s/ALL: //" | sort | uniq > /var/tmp/worms.blocked
echo Updating IP list using access_log
egrep -i "(cmd.exe|root.exe|default.ida|_vti_bin)" /var/log/httpd/access_log | awk '{print $1}' | sort -n | uniq |
while read host
do
if (! fgrep -x $host /var/tmp/worms.blocked) then
echo Adding $host to blocked sites
echo $host>> /var/tmp/worms.blocked
/sbin/ipchains -I input -s $host -j DENY -l
fi
done
echo Done!

I've tried echoing $host inside the while loop and it is working fine but it seems the fgrep is not working for some reason and so the ipchains command is never called.

I've tried the fgrep on its own from my ssh account and that works when I manually enter an IP to match

Frown
Quote Reply
Re: [Paul] Shell script In reply to
Doh!

Now I have:

Code:
while read host
do
fgrep $host /var/tmp/worms.blocked > /dev/null
if [ "$?" -eq "1" ]; then
echo Adding $host to blocked sites
echo $host>> /var/tmp/worms.blocked
/sbin/ipchains -I input -s $host -j DENY -l
fi
done

...and it keeps adding the same rules each time I run it - grrr
Quote Reply
Re: [Paul] Shell script In reply to
Yes, you need to flush your rules. Each time you call ipchains, it adds a new rule, even if that rule is already there.

I haven't used ipchains very much, but with iptables you do:

echo -n "Flushing rulesets "
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
echo "... done!"

to clear the current rules. Then you just add back all your banned hosts.

Cheers,

Alex
--
Gossamer Threads Inc.
Quote Reply
Re: [Alex] Shell script In reply to
Thanks, I think this is what I need:

ipchains -F forward
ipchains -F output
ipchains -F input
Quote Reply
Re: [Alex] Shell script In reply to
Hmm I'm a bit confused now. If portsentry is adding new rules when port scans are detected but this shell script is flushing all rules won't I lose all the rules?

Last edited by:

Paul: Nov 16, 2002, 4:35 AM
Quote Reply
Re: [Alex] Shell script In reply to
Ugh I totally had that wrong. I should be building the list from my ipchains not /etc/hosts.deny - duh!
Quote Reply
Re: [Alex] Shell script In reply to
Ok here is the end result - I'm quite proud of it Smile

http://supportsql.com/wormblock

The only problem is that to prevent DNS lookups I'm using:

ipchains --list -n

...however if the host detected in the access_log was a host name and not an IP address then when the script checks if we've blocked this host or not then it will always think no as the ip obviously doesn't match the host name.
Quote Reply
Re: [Paul] Shell script In reply to
You should upgrade your kernel to 2.4. I find iptables much easier to work with than ipchains.

- wil
Quote Reply
Re: [Wil] Shell script In reply to
bash$ vi /proc/version
Linux version 2.4.2-2
Quote Reply
Re: [Paul] Shell script In reply to
Hm. I'm not expert with ipchains or iptables, but I've found iptables easier to work with and I believe iptables should now be used as a replacement for ipchains.

http://www.linuxguruz.org/.../iptables-HOWTO.html

- wil
Quote Reply
Re: [Paul] Shell script In reply to
I can't connect to the server, I haven't been blocked have I? =)

Cheers,

Alex
--
Gossamer Threads Inc.
Quote Reply
Re: [Alex] Shell script In reply to
Heh there's been a slight mis-hap!

I changed to iptables and found the following:

http://www.sns.ias.edu/~jns/security/iptables/

I used the provided code (after changing the config options) and ran it.......ermm server went bye-bye.

I can't connect with ssh/ftp or anything - I can't decide if it has shut down or just blocked everyone Pirate
Quote Reply
Re: [Paul] Shell script In reply to
Most likely blocked everyone.. We did this once or twice while setting up the firewall. =) A good trick is to have a firewall start/stop script that has something like:

fw_test() {
$0 start
echo
echo "Rules will be active for 30 seconds..."
echo
sleep 30
$0 stop
}

so that you can do:

/etc/rc.d/init.d/firewall test

which starts the rules, but automatically deactivates them after 30 seconds in case you mess up. =)

Cheers,

Alex
--
Gossamer Threads Inc.
Quote Reply
Re: [Alex] Shell script In reply to
Thanks for the tip - I will certainly be using that next time Blush
Quote Reply
Re: [Alex] Shell script In reply to
Ok you should be able to access the script now Blush

http://supportsql.com/wormblock
Quote Reply
Re: [Paul] Shell script In reply to
So, if I go looking for root.exe, I will be banned?

Ivan
-----
Iyengar Yoga Resources / GT Plugins
Quote Reply
Re: [yogi] Shell script In reply to
Yeah if I run the script with a cronjob or something (which currently it isn't)
Quote Reply
Re: [Paul] Shell script In reply to
Looks pretty good. Two comments:

1. You may want to DROP rather then DENY the packets. Probably won't matter too much for virus blocks, but if you expand this so you can ban ip's of people trying to hack your site, then it's better to just drop incoming packets then to reply to the user.

2. If this is on a shared server, you should use /root/tmp for tmpfiles, and not a world writeable directory as you'll leave yourself open to symlink attacks.

Cheers,

Alex
--
Gossamer Threads Inc.
Quote Reply
Re: [Alex] Shell script In reply to
Thanks for the tips.

I'm going to have to modify it again as I changed to iptables from ipchains - I'll add in those changes and make the temp directory a variable instead of hard coding it.